Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.0
OpenClaw: Malicious Variables Can Execute Code on Your System
GHSA-cg7q-fg22-4g98
Summary
The OpenClaw software is not properly cleaning up environment variables that could be used by malicious code to execute on your system. This means a hacker could potentially take control of your system. Update to the latest version of OpenClaw, version 2026.3.31 or greater, to fix this issue.
What to do
- Update openclaw to version 2026.3.31.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.28 | 2026.3.31 |
Original title
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
Original description
## Summary
Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
## Current Maintainer Triage
- Normalized severity: medium
- Assessment: v2026.3.28 also misses the broader package, registry, compiler, Docker, and TLS env family in the shipped host-env policy, and the unreleased main fix means this is a real medium-severity open issue.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `eb8de6715f02949c21c4e895fffc8a6dcb00975c` — 2026-03-31T19:37:43+09:00
OpenClaw thanks @tdjackey for reporting.
Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
## Current Maintainer Triage
- Normalized severity: medium
- Assessment: v2026.3.28 also misses the broader package, registry, compiler, Docker, and TLS env family in the shipped host-env policy, and the unreleased main fix means this is a real medium-severity open issue.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `eb8de6715f02949c21c4e895fffc8a6dcb00975c` — 2026-03-31T19:37:43+09:00
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
6.0
Vulnerability type
CWE-184
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026